<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Error parsing JSON config via a pipe to subprocess's stdin"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1355">1355</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Error parsing JSON config via a pipe to subprocess's stdin
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>Ubuntu
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>nft
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>tad.ashlock@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=566" name="attach_566" title="C++ source file that demonstrates the problem">attachment 566</a> <a href="attachment.cgi?id=566&action=edit" title="C++ source file that demonstrates the problem">[details]</a></span>
C++ source file that demonstrates the problem
nft versions tested: 0.5, 0.9.0, 0.9.1
Linux kernel versions: 4.15.0 (Ubuntu 16.04.1), 4.14.120 (custom distro)
I'm fork-exec'ing "nft -f /dev/stdin", passing the configuration string via a
pipe from the parent process. When the configuration string gets larger than
8192 characters, the parser appears to get corrupted at the 8 KiB boundry.
(I've also seen it at the 16 KiB boundary, too.)
This behavior doesn't happen if I pipe the same configuration in from a shell:
"nft -f /dev/stdin <ruleset.txt" works fine.
I've attached a C++ source file that demonstrates the problem. The
configuration string was carefully crafted to cause the problem I'm seeing. To
test that I haven't screwed up the fork-exec pipe to stdin, the demo code also
sends the configuration string to 'tee' and 'sed', each of which writes their
stdin to a separate file. The configuration string is also directly written to
the file 'ruleset.txt' for comparison.
Build & run:
g++ test.cc -o test --std=c++11 -Wall
sudo nft flush ruleset
sudo ./test
sudo nft list ruleset
diff ruleset.txt tee-input.txt
diff ruleset.txt sed-input.txt
=========== START OF OUTPUT (sudo ./test) ==============
executing tee
#!/usr/sbin/nft -f
flush ruleset
#234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
[snip]
#234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
#23456789012345678901234567890
table ip filter {
chain input {
type filter hook input priority 0; policy accept;
iifname "lo" ip saddr 10.0.0.0/8 tcp dport ssh accept
}
}
executing sed
executing nft
/dev/stdin:95:42-48: Error: No symbol type information
^^^^^^^
unexpected exit status: 1
=========== END OF OUTPUT ==============
If you now add a space character before "dport" in the source code, rebuild, an
d rerun, the configuration will be parsed without an error.
There's nothing particular about "dport", that's just an arbitrary location I
picked. You can add or delete more comment characters to change which
character is the 8192nd and the error location will change, along with the type
of error.
Adding spaces around each 8 KiB boundary of the configuration appears to be
work-around for this problem.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>